SE Linux patch(Re: [BusyBox] SE Linux)

[Takeharu KATO]

Dear Landley:
> 
> Okay, since this came up again...  I dont' use selinux, but I do commit things 
> to the busybox repository (until Erik screams about it, anyway), so lemme 
> read the patch...
> 
Thank you for your review.

> In theory when the whole #ifdef is surrounded by an #if statement like that, 
> the #ifdef #endif could be replaced with a #define hidden in a header 
> somewhere that allows the compiler's dead code elimination to handle things.  
> Just a comment...
> 
> 
Okey, I will fix this issue.

>>> #ifdef CONFIG_SELINUX
>>>-	while ((p = procps_scan(0, 0, NULL)) != 0) {
>>>+	security_context_t sid=NULL;
>>>+	while ((p = procps_scan(0, 0,&sid)) != 0) {
>>> #else
>>> 	while ((p = procps_scan(0)) != 0) {
>>> #endif
> 
>
Sorry, I'll move curly bracket into out-side of #ifdef.

>>> #ifdef CONFIG_SELINUX
>>> 		if(use_selinux)
>>> 		{
>>>-			if(fstat_secure(fileno(fp), &sb, sid))
>>>-				continue;
>>>+			if (is_selinux_enabled()) {
>>>+					if (getpidcon(pid,sid)<0)
>>>+							continue;
>>>+			}
>>> 		}
>>>-		else
>>> #endif
> 
> 
> Again the if() wrapped #ifdef...
> 
I'll fix it.

> 
>>> 	syslog(LOG_INFO, "System Maintenance Mode\n");
>>>-	run_shell(pwent.pw_shell, 1, 0, 0);
>>>+#ifdef CONFIG_SELINUX
>>>+	getcon(&sid);
>>>+#endif
>>>+	run_shell(pwent.pw_shell, 1, 0, 0
>>>+#ifdef CONFIG_SELINUX
>>>+	, sid
>>>+#endif
>>>+		  );
>>> 	return (0);
>>> }
> 
> 
> This part makes my eyeballs hurt.  You're changing the number of arguments of 
> run_shell depending on a config option.  Is there some way to make sid a 
> global, or have it re-query it or something?
> 
I'll try to solve the issue.
I may introduce a new static variable to store current sid, and 
run_shell use it as its sid.
And these codes are changed as follows:

1) To set the security context, it calls the function to which present 
sid is renewed.
2) call normal run_shell.

By this approach, run_shell function can be remained same.